Your CISSP is Worthless. Now what?

August 22nd, 2012

OK, so it’s not really worthless. It can help you get a job or a contract. But in the scheme of today’s infosec world? It’s really broken, in my opinion. Let me break down my thought process, since I’m typically pretty upbeat about things.

Over the years, I have had more than a few laughs with both clients and SANS students about various aspects of the CISSP. Few seem to *really* take it seriously. That’s a big indicator.

Second, there are far too many things in that cert/test that are completely and totally useless to 99% of us in infosec. As the Information Systems Security Professional, I do not need to know a damn thing about fire extinguisher types, fence height, or lighting. Sure, it may be interesting knowledge. But not relevant to most people’s infosec jobs, and thus extraneous in the cert.

Third, the CISSP demonstrates no hands-on skills. The test itself, completely insane in its wording and content in some cases, just makes you memorize a bunch of concepts. We don’t need many, if any, theoreticians today. I need tangible, real skills that can be put to good use immediately. You may argue that theory and research and risk and <blah blah blah> has its place. Sure it does. But I don’t need that in a cert like this. I want someone who can walk in the door and DO things. Not think about doing things. Or talk about doing things. Or answer obtuse questions about things without being able to perform hands-on tasks.

I’ve had some people tell me – “I’m proud of my CISSP.” Really? Of what, exactly?

Studying for a test

Taking and passing a long, obnoxious test

Doing WORK for 3-4 years (wow, welcome to a CAREER)

Having a college degree (in some cases)

Acquiring <puke> CPE credits for random bullshit-able things

Getting someone to attest that you are smart. And/or awesome.

People, it’s broken. HR offices are essentially discriminating against people who don’t have one, for really no good reason. This cert is ridiculous. If you have to get one for work, or compliance, or DOD 8570, or something…OK. But don’t strut around and act as though this really means you have something unique or special…you don’t. I know way too many CISSPs who can’t dissect a packet, configure a firewall or IDS, write a script, perform a real in-depth risk analysis, and so on. That does NOT bode well for the future of information security. If you argue that it’s meant to be a broad, “theory” cert – well, I argue we don’t NEED those. We need more DO-ers.

So what do I propose? I say scrap the whole thing. Start over. Build a cert and program that tests fundamental skills and means something to employers who really need things done. Offer existing cert holders one year and a free test to get the new one. Otherwise, they’re out. We need to weed out the people BSing their way through infosec on the back of a bunch of stupid CPEs. I’d love for the CISSP to mean something, and see the industry rally around it as a useful and legitimate indicator of knowledge and skill. We have friends of mine like Wim Remes on the ISC2 board, and Dave Lewis and Boris Sverdlik running for the board now. I would love to see more awesome folks like these guys steering the ship. But it needs an overhaul regardless.

I agree that most of the content within their 10 domains has become quite stale (questions about CCTV, really?). But while you make some very valid points, your message gets off track when you insult the smart, dedicated folks who worked hard to achieve a goal. Maybe that goal doesn’t make sense to you, but it made sense to a lot folks at the time. Don’t paint with such a broad brush. There are good CISSPs out there.

I hear you, but definitely disagree. I’m not insulting the folks. I’m insulting the “I stand behind my CISSP” mentality. This is a goal, sure…but a rather silly one if you’re doing it to prove something. To get a job? OK, you’re off the hook. But being proud of cramming Shon Harris’ guide and then taking a test? No way. You should WANT to be better than that.

Understand where you’re coming from, but know that there are a lot of CISSPs that didn’t just stop after taking the test. They did want to be better. I know quite a few that used their CISSP to help get involved in community outreach, mentor and network with other CISSPs, and help create the next generation of infosec workers.

Don’t get me wrong, there are a definitely things that need to be fixed, and I’m all for getting some fresh blood in the board. Just don’t agree with certain aspects of your argument.

The one part where I disagree is your comment on “we don’t need people thinking”. I know what you’re referring to – the very abstract concepts the CISSP covers. And you’re probably right there.

BUT… We DO need people thinking about what security IS – much more than we need people who just know how to configure firewalls and harden servers.

Because is you don’t know what security IS – and what it IS NOT – and how next to impossible it is to achieve – then you’re going to be wasting a hell of a lot of time doing things that do not achieve it.

This is the main problem in IT security today – everyone is doing the same things – the same “best practices” – and it isn’t working. And it will never work because it lacks a realization of what the nature of the problem actually is. Everyone needs to go way beyond “best practices” and start treating the real problem: that “security” is IMPOSSIBLE.

The CISSP is broad and not everything is relevant to IT. Ok I’ll concede that. However, if our nation was ever attacked via a “fire sale” type situation, you better have some law enforcement bad asses who know when to say, “YippeeKaiAh mother ^%*^%$” or our nation is doomed. The geeks better learn to work with the ops security types or there is going to be hell to pay. Moreover, if those geniuses in the movie knew a few things about social engineering and ops security perhaps their fried brains would not have been duped by the “chick with the sexy voice”. Security transcends technology!! The computers and cloud and all that are great, but the security principles discussed in the CISSP predate the internet revolution. The concepts are about warfare, ops security, spies, and stealing information through means other than IP.

Maybe packet structure was a bad example as that is a fundamental concept but all the Cisco/Microsoft stuff can more easily be crammed for/passed & forgotten about. Many more out there far more worthy of scorn than the CISSP, which I find it usually attacked by people who haven’t got it.

In my view, CISSP is meant to create a knowledge baseline among Infosec professionals and not be the holy grail. You mention that some domains are not used by MOST professionals but some DO need the skills set.

I see that coming from a guy busy making money with SANS. Would you take some time and effort and justify the cost associated with SANS trainings and exams.
Certificates are for people who want their resume to scream out and say “Hey see i am certified”
One can live without certificates if they are capable. I know many guys working in secret services , Armed forces and Government agencies who do not have a single certificates to their credentials.
And yes i agree with one comment above, CTF. While recruiting someone better give them a test environment to demonstrate their skills rather than looking for that CISSP, SANS or other certs credentials.

@JamesGoz Well, I have one. And mostly to get contracts and such. And per your Twitter comment, “you clicked on my blog”…that IS the point of a blog post, to get people to go there and have a dialogue.

@lmalaquias Fair point, some DO need those skills. But they’re not really skills, they’re concepts that will likely fade if not reinforced often. How much have you crammed from university or before that you never used? CISSP feels similar on many things.

@Critic Aaaah, I was waiting for someone to throw out the SANS comment. Yes, of course I work with SANS and make money. SANS teaches concepts too. But GIAC certs have much more practical components. And I’d like to think that my fellow SANS instructors and I teach people how to DO things in many classes, versus just giving you concepts. Not all, certainly – some classes are more conceptual. But we tend to focus much more on the practical.

It seems a large part of the problem is in the name. CISSP certifies the holder has some knowledge and some IT experience at least vaguely related to security. However, it doesn’t automatically make the holder a security professional.
The other problem is that knowing about concepts is very different from actually understanding those concepts. Yes, DES has 16 rounds, a given firewall does this and that – but what are the wider implications of those things? How do they fit into the larger picture? How would a given threat break into a network, and why would it operate a certain way?

Having just sat the CISSP recently, I’d say it’s a bit like a University degree in that it helps you to think security, doesn’t teach you technical details, but the fundamentals theories and ‘best’ practices at the moment.
The GIAC certs then drill down into specifics areas just like the CEH-Ethical hacker and vendor specific certs.

Completely disagree that the CISSP is “worthless”. Yes, I’ll admit that the cert has fallen to the same fate as the once revered MCSE (due to market saturation by training centers making money off it). The CEH is not that far from sharing the same fate either. Yes, criticism of the “mile-wide, inch-deep” coverage of relevant (or even outdated) concepts is valid; however, let me explain why you’ll have a tough time getting HR to change their minimum requirements. How many companies out there actually have 8-10 specialized security pros on staff (ie. one for almost every domain)? What do you think a realistic percentage might be? If the answer is anything less than 100%, then the CISSP is indeed worthwhile to have. It has always had the status of entry-level certification and, until a better cert comes along, that’s where it should stay. I’d love to see how many of the “experienced security geniuses” out there harping on CISSPs can actually handle working with corporate management to implement the required controls covered in all domains, writing all those policies and procedures, and demonstrating business value. Your response is probably just to contract out the boring stuff so you can stick to playing with your pen-testing toys. I’m sorry for coming across so harshly but I think we need to be more supportive of our peers in the InfoSec Community – especially the newbies.

A bit harsh, sure, but I don’t expect or look for agreement…just dialogue. And I think you’re missing some of the point – this has nothing to do with newbies. You should see my post, “One for the n00bs“, and you’ll know I have nothing but love for people getting into the field (in general). Really, this is about a broken system, broken cert, and a lot of people paying good money for something that has very limited worth. I have a CISSP. I have also been a CISO and every other operational role you can think of, so yeah…I can do all that. I’m not being condescending just to be that way. But HR teams and others are under a false pretense with this one.

I’ve seen two things about certs in general: No cert is better than the person taking it, and the loss in value of most certs was not because of the cert concepts but because of how it was used in the market. A person taking an exam to validate their learning is different from one taking it to get a piece of paper to pad a resume. And it’s mostly the fault of HR departments and hiring managers that we’ve gotten to this point. For the record, I know people from other cert programs (including GIAC) “who can’t dissect a packet, configure a firewall or IDS, write a script, perform a real in-depth risk analysis, and so on.” It’s not a cert problem. Most of the firewall engineers that I’ve met can’t effectively dissect a packet, even if they learned how, because they don’t need to do it regularly. It’s a byproduct of how specialized we’ve become in the field. We don’t need to look at how we certify people as much as at how we train people. And if you expect certifications to tell you whether or not you should hire someone, you need to change your expectations, not the certifications. That’s what interviews are for.

I completely agree that the CISSP has been devalued however, I have invested a lot of time and money into maintaining the certification and I would be disappointed to find I had to sit a further exam to maintain it, particularly if the exam was not relevant to my current work.
Not all CISSPs work in the same environment and I would be very interested what you would think would be appropriate for an exam for a ‘DOer’ – specific vendor interfaces, applications would not be appropriate IMO.
Perhaps the way for (ISC)2 to handle this would be to introduce (yet) another concentrator exam that would demonstrate the skills you are seeking.
I believe the CISSP does demonstrate the ability for the holder to /think/ about security and to reach decisions based on the best evidence available.
If HR departments are recruiting on the basis of a CISSP, I’m OK with that. It’s a differentiator. I sincerely hope that the interviewers are technically competent to weed out the charlatans that have passed the exam but have no practical knowledge – isn’t that what happens?

Alright CISSP’s of the world UNITE! What fire extinguisher might one use to douse the flames on the above cert? I think folks are getting far too hung up on the specific ‘fun facts’ in the CISSP and focusing too little on the mindset methodology of the principles being taught. Where the misnomer lies with the CISSP is in how it has been employed as a qualifier of prowess in the industry. I don’t think it was intended to be the “end all be all.” It is a mindset reference point from which to hone one’s skill. The industry and those who don’t really understand anything look at the acronym far too literally. They have perverted its intent and context – those in the industry looking for deserved validation followed the trend. And yes, physical security is part of IS so fire extinguishers are included. Not everything can be cloak and dagger fun stuff and not all data loss is due to theft.

If you know what you are doing is good and practical, keep doing it man, keep walking. Why this cheap stunt of commenting on something as “worthless”. Nothing in this world is worthless. A bad experience is a good learning in itself. You name EC Council, Offensive Security,ISC , Sans, Infosec institute etc etc. all of them are good. Each one of them is for learning. So my point is if you don’t like CISSP stay away , why this rant? why generalize things for others? Every course has its own uniqueness/advantages/disadvantages.
By the way i am a SANS fan and like all the courses out there. I have seen Sans material, Offsec Material, Opensecurity , Security tube and some more great free courses out there 🙂
And if you think SANS is very practical hands on out of the world course then yes sir Good Morning to you.

I have just passed and am awaiting final certification after working in IT / info sec for over 6 years.

It is a very difficult to achieve qualification , it requires a high level of commitment
, clear thinking , reasoning and discipline to pass.

I would consider it a very useful HR tool to at least weed out the spoofers from the real infosec candidates.
It is hard to achieve and this alone sets the bar high in terms ofthe quality of people who attain it.

It gives a very useful broad overview and tie together of all aspects of the security environment
as well as broadening your mind in terms of seeing the bigger picture , and allows you to develop emotional intelligence
to speak on management level – something many infosec people lack.

No its not very hands on , and operationally useful, but it does test the skills you need from a management and financial
POV – something most Senior managers are more concerned with in reality.

all in all , tough as it was I am very glad I did it , and it has focussed my desire to improve in other areas as well.

Since the CISSP was set up by a consortium of interested groups (ISC2), it has the economic drivers that some (not all) employers will at least filter job candidates (if not hire them) by the CISSP certification. Fortunately, it is not a mandatory licensing, as is required by law of CPAs, physicians, nurses, etc. (even lawyers must pass the Bar to be practicing!) so a truly knowledgeable security specialist does not need “guild approval” to do good work in this current market. This is good, because we don’t rely on labels.

The debate about practical and theoretic capability is off-focus (“The difference between theory and practice is that in practice, there is a difference”). Somebody in Academia (e.g CERIAS at Purdue, CERT at Carnegie Mellon, et. al/) will do the theoretical work. That said, the CISSP topics are not chosen by academics, so there is some merit to what ISC2 wants to test as a reflection of the Board’s interests.

If a person finds tangible value in the CISSP, then their choice in the marketplace is to study and pass the test. If not, they have alternatives. This is practice.

I would not recommend being proud of my SAT scores- even a perfect SAT does not mean you know anything, so I would not also rely on the CISSP as a merit badge.

Dave,
I appreciate your insights and would add that its only an idicator that an individual thought enough of this field to subject themselves to 3-6 months of cramming and 4 hours of brain regurgitation and got more than 70%…cheers.

My mom just recently had a major surgery and when I met the doctor nothing about him, his age, degree, or his bmw keychain, impressed me or settled me more that when he said he’d done this procedure close to 1,000 times. I shook his hand and got out of his way. No substitute for experience gang, that my 2 cents.

At any rate, I caught your Next Gen Sec Ops discussion at IANS, and wanted to know if you could provide any references for SOC guidelines/frameworks/operations.

It is good to get some critism but trying to explain that security is about configuring a firewall or writing a script or even doing a risk analysis is the same load of bull as saying that CISSP isn’t perhaps the greatest certification.
The CISSP certification is mostly misplaced by HR or recruitment agencies, it has never meant to be for the technical security specialist, those are addressed by other certifications. However it is meant for somebody in charge, so that you as a team manager can understand your security staff and that you can put things in perspective.
A lot of rants to CISSP are misplaced, if you don’t like it don’t do it. But stop complaining that you missed a job because someone with a certification got it instead of you.

As someone who has been working as head of an Information Security program in an office of over 1,000 employees for 5 years now I can say that the CISSP is valid and is a worthy certification to get. It’s not an easy test to pass either, it has a 50% pass rate, meaning that not everyone is capable of becoming a CISSP – it’s tough on purpose. The 10 domains are very wide and only an inch deep, but they are very relavent. I find myself working in at least 5-8 of the different domains each week. The job of a security manager is tough and operates at a high level – you don’t need to know how to implement a firewall, but you do need to know how to manage and talk to the people that do, and at the same time you need to know how to convince management/business owners that a new updated firewall is needed. The CISSP is VERY VALUABLE, and I encourage everyone who wants to be in SECURITY MANAGEMENT to take it. If you want to be down in the weeds setting up server equipment and doing things on a real hands-on technical basis, then get some CISCO or microsoft certs. It all depends on what you want to do.